Computing method for elliptic curve cryptography

ABSTRACT

A fast cryptographic method between two entities exchanging data via a non-secure communication channel. The method, for example, forms a common key between two entities (A,B), each having a secret key (a,b) and using a public key (P) formed by a point of an elliptic curve (E), and includes at least multiplying the odd order point (P) by an integer by additions and halving operations.

FIELD

The invention relates to a cryptographic method employed between twoentities exchanging information over a non-secure communication channel,for example a cable or radio network, the method assuring theconfidentiality and the integrity of information transfer between thetwo entities. The invention relates more particularly to an improvementto cryptosystems employing calculations on an elliptic curve. Theimprovement mainly reduces the calculation time.

BACKGROUND

The Diffie-Hellmann key exchange cryptographic protocol is used toexchange keys securely between two entities. Using it entails employinga group in the mathematical sense of the term. A group that can be usedis constituted by an elliptic curve of the following type:y ² +xy=x ³ +αx ²+β

It is known that if P=(x,y) is on the elliptic curve E, it is possibleto define a “product” or “scalar multiplication” of the point P of E byan integer m. This operation is defined as follows:[m]P=P+P+P . . . +P(m times)

Doubling a chosen point P on this kind of elliptic curve in aDiffie-Hellmann key exchange algorithm is known in the art. Thisoperation is known as “point doubling” and is part of an iterativedouble-and-add process. Any such doubling takes time.

The slowest part of the Diffie-Hellman key exchange protocol ismultiplying an unknown point on the curve by a random scalar. Onlyelliptic curves defined on a body of characteristic-two are consideredhere; this is a widely adopted implementation choice, because additionwithin a body of this kind corresponds to the “exclusive—or” operation.

It is known in the art that multiplication by a scalar can beaccelerated for curves defined on a body of low cardinality by using theFrobenius morphism. The curves can be chosen so that none of the knownattacks applies to them. However, it is obviously preferable, at leastin principle, to be able to choose the curve to be used from a class ofcurves that is as general as possible. The fastest version of the methodin accordance with the invention is applied to half the elliptic curves.Moreover, from a cryptographic point of view, that half is the besthalf. Before the theory of the method is described, the basic conceptsare reviewed.

For simplicity, consider the elliptic curve (E) that can be representedgeometrically and is defined for the set R of real numbers by theequation y²+y=x³−x² shown in FIG. 1, in which figure a horizontal linerepresents an integer number m, a vertical line represents an integernumber n and each intersection of horizontal and vertical linesrepresents the integer coordinate pair (m, n).

(E) passes through a finite number of points with integer coordinatesand any secant at (E) originating from any such point intersects (E) attwo points, which may be coincident (in the case of tangents to thecurve).

The addition operation applied to any two of these points A and B isdefined as follows: let B₁ be the point at which the straight linesegment (AB) intersects (E); the vertical through B₁ intersects (E) atC=A+B.

In the special case where (AB′) is tangential to (E), C′ is the requiredsum.

The “intersection of all verticals” point O is referred to as the pointat infinity of (E) and is the neutral element of the addition defined inthis way since, by applying the geometrical construction which definesthe addition:A+O=O+A=A

The doubling of A, which is denoted [2]A and defined as: A+A, istherefore the point B′, the straight line segment (Ax) being tangentialto (E) at A.

By applying the addition of A construction to the point B′, the point[3]A is obtained, and so on: this is the definition of the product [n]Aof a point by an integer.

The present invention in fact relates to a family of elliptic curveswhich cannot be represented geometrically but are defined as follows:

Let n be a given integer, F₂ _(n) the body of 2^(n) elements, and{overscore (F_(2n))} its algebraic closure. Let O be the point atinfinity. The non-supersingular elliptic curve E defined at F₂ _(n) is:E={(x,y)ε{overscore (F ² _(n) )}× {overscore (F ² _(n) )}| y ² +xy=x ³+αx ² +β}∪{O}α, βεF ₂ ^(n),β≠0

The elements of E are usually referred to as “points”. It is well knownin the art that E can be given an abelian group structure by taking thepoint at infinity as a neutral element. Hereinafter, the finite subgroupof rational points of E is considered, and is defined by:E(F ₂ _(n) )={(x,y)εF ₂ _(n) ×F ₂ _(n) |y ² +xy=x ³ +αx ² +β}∪{O}α, βεF₂ ^(n),β≠0where N is the set of natural integers; for all mεN, the “multiplicationby m” application in E is defined by:[m]:E→EP→P+ . . . +P(m times) and ∀PεE:[O]P=O

E[m] is the kernel of the application. The points of the group E[m] arecalled the m-torsion points of E. The group structure of the m-torsionpoints is well known in the art.

In the situation in which m is a power of 2:∀kεN:E[2^(k) ]≅Z/2^(k) Zwhere Z is the set of relative integers.

Because E(F₂ _(n) ) is a finite sub-group of E, there exists k′≧1 suchthat E(2^(k)) is contained in E(F₂ _(n) ) if and only if k≦k′. For theelliptic curves E for which k′=1, the structure of E(F₂ _(n) ) is:E(F ₂ _(n) )=G×{O, T ₂}where G is an odd order group and T₂ designates the unique second orderpoint of E. A curve of this kind is said to have a minimal two-torsion.

SUMMARY

It is now possible to explain the object of the invention. Doubling isnot injective when it is defined on E or E(F₂ _(n) ), because its kernelis: E[2]={O, T₂}.

Moreover, if the domain for defining doubling is reduced to an odd ordersub-group G⊂E(F₂ _(n) ) doubling becomes bijective.

As a result doubling allows an inverse application to the sub-group thatis referred to hereinafter, as halving:[½]: G→GP→Q such that: [2]Q=P

[½] P is the point of G to which the doubling application makes thepoint P correspond. For all k≧1:

$\left\lbrack \frac{1}{2^{k}} \right\rbrack = {\left\lbrack \frac{1}{2} \right\rbrack \circ \left\lbrack \frac{1}{2} \right\rbrack \circ \ldots \circ \left\lbrack \frac{1}{2} \right\rbrack}$

-   -   represents k compositions of the halving application with        itself.

Generally speaking, the invention therefore provides a cryptographicmethod employed between two entities exchanging information via anon-secure communication channel, the method including a step ofmultiplying an odd order point of a non-supersingular elliptic curve byan integer, characterized in that, for exchanging information via thenon-secure communication channel, the above step includes addition andhalving of points of said elliptic curve, the addition of points is anoperation known in the art, the halving of a point P is defined as theunique odd order point D such that [2]D=P,

$\left\lbrack \frac{1}{2} \right\rbrack$denotes the halving operation and

$\left\lbrack \frac{1}{2} \right\rbrack P$denotes the point D.

The halving application is beneficial for the scalar multiplication of apoint on an elliptic curve for the following reason: if affinecoordinates are used, it is possible to replace all doublings of a pointof a scalar multiplication by halvings of a point.

The halving of a point is much faster to calculate that its doubling.From a cryptographic point of view it is good to be able to choose fromthe greatest possible number of curves and a curve is usually used forwhich the two-torsion of E(F₂ _(n) ) is minimal or isomorphic to Z/4Z.For a given curve F₂ _(n) the minimal two-torsion elliptic curvesconstitute exactly half of the set of elliptic curves defined on F₂ _(n). This is why, although it is not totally general, the fastest versionof the method described applies to a good proportion of the curves ininterest in cryptography. It can also be applied when the elements ofthe body are represented in a normal basis. In the case of a polynomialbasis, the memory space required is of the order of O(n²) bits.

BRIEF DESCRIPTION OF THE DRAWINGS

Some examples are given hereinafter, with reference to the accompanyingdrawings, in which:

FIG. 1 is a graph showing a very particular elliptic curve that can berepresented geometrically and is used hereinafter to explain elementaryoperations employed in the context of the invention;

FIG. 2 is a diagram showing exchanges of information in accordance withthe invention between two entities;

FIGS. 3 to 6 are flowcharts explaining some applications conforming tothe invention; and

FIG. 7 is a block diagram of another system for exchanging informationbetween two entities A and B which can employ a cryptographic methodaccording to the invention.

DETAILED DESCRIPTION

We will show how to calculate [½] PεG from PεG. We will then show how toreplace the doublings of points by halvings to execute a multiplicationby a scalar.

We will use the usual affine representation of a point: P=(x,y) and therepresentation: (x,λ_(p)) with λ_(p)=x+y/x.

We derive y=x (x+λ_(p)) which uses only one multiplication, from thesecond representation.

By proceeding in this way, to multiply a point by a scalar, we save onmultiplications by calculating intermediate results using therepresentation (x, λ_(p)) and the coordinate of the affinerepresentation is determined only at the end of the calculation.

A point P is halved in the following manner:

Calculate [½] P from P. For this consider the two points of E:P=(x,y)=(x,x(x+λ _(p))),and Q=(u,v)=(u,u(u+λ _(Q)))such that: [2]Q=P.

The formulas for doubling known in the art yield:λ_(Q) =u+v/u,  (1)x=λ _(Q) ²+λ_(Q)+α,  (2) andy=(x+u)λ_(Q) +x+v.  (3)

Multiplying (1) by u and inserting the value of v obtained in this wayin (3), the above system becomes:v=u(u+λ _(Q)),λ_(Q) ²+λ_(Q) =α+x, andy=(x+u)λ_(Q) +x+u ² +uλ _(Q) =u ² +x(λ_(Q)+1)or, since y=x (x+λ_(p)):λ_(Q) ²+λ_(Q) =α+x,  (i)u ²=(x(λ_(Q)+1)+y=(λ_(Q)+λ_(p) +x+1),  (ii)andv=u(u+λ _(Q))  (iii).

Starting from P=(x,y)=(x, x (x+λ_(p))) in affine coordinates or in the(x, λ_(p)) representation, the above system of equations determines thefollowing two types:[½]PεG and [1[/2]P+T₂εE(F₂ _(n) )\Gwhich give P by doubling. The following property enables it to bedistinguished.

Let E be a minimal two-torsion elliptic curve and PεE(F₂ _(n) )=G×{O,T₂} one of its odd order elements. Let Qε{[½] P, [½]P+T₂} and let Q₁ beone of the two points of E such that [2]Q₁=Q.

We have the necessary and sufficient condition:Q+[½]P

Q₁ εE(F ₂ _(n) )  (a)

We deduce from this that it is possible to check if Q=[½] P by applyingthe formulas (i), (ii) and (iii) to Q and verifying if one of the pointsobtained belongs to E(F₂ _(n) ).

We can extend this process to an elliptic curve E(F₂ _(n) )=G×E [2^(k)]that is arbitrary by applying the formulas (i), (ii) and (iii) k times:the first time to Q, to obtain a point Q₁ such that [2] Q₁=Q; the ithtime to Q_(i−1) to obtain a point Q_(i) such that [2] Q_(i)=Q_(i−1). Theresultant point Q_(k) will be of the form:

${\left\lbrack \frac{1}{2^{k + 1}} \right\rbrack P} + T_{2^{k + 1}}$if and only if Q=[½]P+T₂ and will be of the form:

${\left\lbrack \frac{1}{2^{k + 1}} \right\rbrack P} + T_{2^{i}}$with 0≦i≦k if and only if Q=[½]P. Wetherefore have the necessary and sufficient condition:Q=[½]P

Q_(K)εE(F₂ _(n) )

This process is evidently lengthy if k is large.

The above equation (a) shows that we can determine whether Q=[½]P orQ=[½]P+T₂ by examining if the coordinates of Q₁ belong to F₂ _(n) or toa super-body of F₂ _(n) . As Q₁ is determined by the equations (i), (ii)and (iii), we have to study the operations used in solving theseequations, which are not internal to the body but have their result on asuper-body of F₂ _(n) . The only possible instance is that of solvingthe second degree equation (i): we must also calculate a square root tocalculate the first coordinate of Q₁, but in characteristic-two findingthe square root is an operation internal to the body. Thus:Q=(u,v)=[½]P

∃λεF ₂ _(n) :λ² +λ=α+u

Because finding the square root is internal to the body, this necessaryand sufficient condition can also be written:Q=(u,v)=[½]P

∃λεF ₂ _(n) :λ² +λ=α ² +u ²

The preceding relation is used to optimize the algorithm referred tobelow in instances where the square root calculation time is notnegligible.

For PεG, the two solutions of (i) are λ_([½]P) and λ_([½]P)+1 and wededuce from (ii) that the first coordinates of the associated points areu and (u+√{square root over (x)}). We can therefore deduce an algorithmfor calculating [½]P in the following manner:

If F₂ _(n) is a finite body of 2^(n) elements, E (F₂ _(n) ) is thesub-group of an elliptic curve E defined by:E(F ₂ _(n) )={(x,y)εF ₂ _(n) ×F ₂ _(n) |y ² +xy=x ³ +αx ²+β}∪{O}α,βεF₂ _(n) ,β≠O,and E[2^(k)] is the set of points P of said elliptic curve such that Padded 2^(k) times to itself gives the neutral element O when k is aninteger greater than or equal to 1 then a point P=(x,y) of said ellipticcurve yields by said halving the point

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$of said elliptic curve, obtained by effecting the following operationsillustrated by the FIG. 3 flowchart:

-   seek a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x-   calculate a second value u_(o) ² such that u_(o) ²=x (λ_(o)+1)+y-   if k has the value 1, check if the equation: λ²+λ=α²+u_(o) ² has    solutions in F₂ _(n) ,-   if so, calculate said halving as follows:    u _(o) =√{square root over (u ⁰ ² )}    v _(o) =u _(o)(u _(o)+λ_(o))    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) and calculate said halving as in the directly preceding    operation;-   if k is greater than 1, perform the following iterative calculation:-   seek a value λ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1)-   then calculate the value u² _(i) such that u²    _(i)=u_(i−1)(λ_(i)+λ_(i−1)+u_(i−1)+1)-   by incrementing i from i=1 until the value u_(k−1) ² is obtained-   check whether the equation λ²+λ=α²+u² _(k−1) has solutions in F₂    _(n)-   if so, calculate said halving is as follows:    u _(o) =√{square root over (u ⁰ ² )}    v _(o) =u _(o)(u _(o)+λ_(o))    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$

-   if not, add x to the second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation.

If we choose to represent the point

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$of the elliptic curve by (u_(o), λ_(o)) with λ_(o)=u_(o)+v_(o)/u₀, thenthe algorithm conforms to the FIG. 4 flow chart:

-   seek a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x-   calculate a second value u_(o) ² such that u_(o) ²=x(λ_(o)+1)+y,-   if k has the value 1, check if the equation: λ²+λ_(o)=α²+u² _(o) has    solutions in F₂ _(n) ,-   if so, calculate said halving as follows:    u _(o) =√{square root over (u ⁰ ² )}    -   and:

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},\lambda_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation;-   if k is greater than 1 perform the following an iterative    calculation:    -   seek a value λ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1)    -   then calculate the value u_(i) ² such that u_(i) ²=u_(i−1)        (λ_(i)+λ_(i−1)+u_(i−1)+1)        incrementing i from i=1 until the value u² _(k−1) is obtained-   check if the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ _(n)-   if so, calculate said halving as well as follows:    u _(o) =√{square root over (u ⁰ ² )}    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},\lambda_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation.

If we choose to represent the point P (x,y) by (x, λ_(p)) settingλ_(p)=x+y/x which gives by said halving the point

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$of said elliptic curve, then the algorithm conforms to the FIG. 5 flowchart:

-   seek a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x-   calculate a second value u_(o) ² such that u_(o) ²=x    (λ_(o)+λ_(p)+x+1)-   if k has the value 1, check if the equation: λ²+λ=α²+u_(o) ² has    solutions in F₂ _(n) ,-   if so, calculate said halving as follows:    u _(o) =√{square root over (u ⁰ ² )}    v _(o) =u _(o)(u _(o)+λ_(o))    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation;-   if k is greater than 1 perform the following an iterative    calculation:    -   seek a value λ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1)    -   then calculate the value u² _(i) such that u²        _(i)=u_(i−1)(λ_(i)+λ_(i−1)+u_(i−1)+1)        incrementing i from i=1 until the value u² _(k−1) is obtained-   check if the equation λ²+λ=a²+u² _(k−1) has solutions in F₂ _(n)-   if so, calculate said halving as well as follows:    u _(o) =√{square root over (u ⁰ ² )}    v _(o) =u _(o)(u _(o)+λ_(o))    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation.

Finally, if we choose to represent the point P=(x,y) by (x, λ_(p)) with

λ_(p)=x+y/x which gives by said halving the point

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},v_{0}} \right)$of the elliptic curve represented by (u_(o), λ_(o)) withλ_(o)=u_(o)+v_(o)/u_(o) then the algorithm conforms to the FIG. 6algorithm:

-   seek a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x-   calculate a second value u_(o) ² such that u_(o) ²=x    (λ_(o)+λ_(p)+x+1),-   if k has the value 1 check if the equation λ²+λ=α²+u_(o) ² has    solutions in F₂ _(n) ,-   if so, calculate said halving as follows:    u _(o) =√{square root over (u ⁰ ² )}    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},\lambda_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation;-   if k is greater than 1 perform the following iterative calculation:    -   seek a value λ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1)    -   then calculate the value u² _(i), such that u_(i) ²=u_(i−1)        (λ_(i)+λ_(i−1)+u_(i−1)+1)        incrementing i from i=1 until the value u² _(k−1) is obtained-   check if the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ _(n)-   if so, calculate said halving as follows:    u _(o) =√{square root over (u ⁰ ² )}    -   and

${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{0},\lambda_{0}} \right)$

-   if not, add x to said second value u_(o) ² and 1 to said first value    λ_(o) to calculate said halving as in the preceding operation.

We next describe how to perform the check, solve the second degreeequation and calculate the square root in the algorithm for halving apoint rapidly. We consider the normal basis and the polynomial basis.

The normal basis results are known in the art. We can consider F₂ _(n)as the n-dimensional vectorial space on F₂. In a normal basis, anelement of the body is represented by:

$\begin{matrix}{x = {\sum\limits_{i = 0}^{n - 1}{x_{i}\beta^{2^{i}}}}} & {x_{i} \in \left\{ {0,1} \right\}}\end{matrix}$where βεF₂ _(n) is chosen such that: {β, β², . . . , β² ^(n−1) } is abasis F₂ _(n) . In a normal basis, the square root is calculated by aleft circular shift and squaring is effected by a right circular shift.The corresponding calculation times are therefore negligible.

If the second degree equation: λ²+λ=x has its solutions in F₂ _(n) , asolution is then given by:

$\lambda = {{\sum\limits_{i = 1}^{n - 1}\;{\lambda_{i}\beta^{2^{i}}\mspace{14mu}{{with}:\mspace{14mu}\lambda_{i}}}} = {{\sum\limits_{k = 1}^{i}\;{x_{i}\mspace{14mu} 1}} \leq i \leq {n - 1}}}$

The time to calculate λ is negligible compared to the time to calculatea multiplication of an inversion in the body. As the time to calculate asolution of the second degree equation is negligible, the check can beeffected as follows: calculate a candidate λ from x and check if λ²+λ=x.If not, the equation has no solution in F₂ _(n) .

In a polynomial basis, the following representation is used:

$x = {\sum\limits_{i = o}^{n - 1}\;{x_{i}T^{i}}}$with x_(i)ε{0,1}. The square root of x can be calculated by storing theelement √{square root over (T)} if we note that:

in a body of characteristic-two, the square root is a morphism of thebody,

$\sqrt{\sum_{i\mspace{14mu}{even}}{x_{i}T^{i}}} = {\sum_{i\mspace{14mu}{even}}{x_{i}T^{\frac{i}{2}}}}$

Grouping in x the even and odd powers of T and taking the square root,this becomes:

$\sqrt{x} = {{\underset{i\mspace{14mu}{even}}{\sum\;}\;{x_{i}T^{\frac{i}{2}}}} + {\sqrt{T}\underset{i\mspace{14mu}{odd}}{\sum\;}x_{i}T^{\frac{i - 1}{2}}}}$so that, to calculate a square root, it is sufficient to “reduce” twovectors by half and therefore to execute a multiplication of apreviously calculated value by an element of length n/2. This is why thetime to calculate a square root in a polynomial basis is equivalent tohalf the time to calculate a multiplication in the body.

For the check and for solving the second degree equation, we consider F₂_(n) as a n-dimensional vectorial space on F₂. The application F definedas follows:

$\begin{matrix}F & : & F_{2^{n}} & \rightarrow & F_{2^{n}} & \; & \; \\\; & \; & \lambda & \rightarrow & \lambda^{2} & + & \lambda\end{matrix}$is then a linear kernel operator {0, 1}

For a given x, the equation λ²+λ=x has its solutions in F₂ _(n) if andonly if the vector x is in the image of F. Im(F) is an (n−1)-dimensionalsub-space of F₂ _(n) . For a given basis of F₂ _(n) and thecorresponding scalar product there exists a single non-trivial vectororthogonal to all the vectors of Im(F). Let w be that vector. We have:∃λεF ₂ _(n) :λ² +λ=x

x·w=0

Accordingly, the check can be performed by adding the components of x towhich components of w equal to 1 correspond. The time to perform thischeck is negligible.

To solve the second degree equation: F(λ)=+λ=x in a polynomial basis, wepropose a simple and direct method which imposes the storage of an n×nmatrix. For this we look for a linear operator G such that:∀xεIm(F):F(G(x))=(G(x))² +G(x)=xLet γεF₂ _(n) be a vector such that γ∉Im(F) and define G as follows:

$G = {{{\overset{\sim}{F}}^{- 1}\mspace{14mu}{with}\mspace{14mu}{\overset{\sim}{F}\left( T^{i} \right)}} = \left\{ \begin{matrix}{{\gamma\mspace{14mu}{{if}:\mspace{14mu} i}} = 0} \\{{F\left( T^{i} \right)}\mspace{14mu}{{if}:\mspace{14mu}{1 \leq i \leq {n - 1}}}}\end{matrix} \right.}$

Given that

$x = {\sum\limits_{i = 1}^{n - 1}\;{x_{i}{F\left( T^{i} \right)}\varepsilon\;{{Im}(F)}}}$then G(x) is a solution of the second degree equation. Oneimplementation consists of precalculating the matrix representing G inthe basis {1, T, . . . , T^(n−1)}. In characteristic-two, themultiplication of a matrix by a vector is reduced to adding columns ofthe matrix to which a component of the vector equal to 1 corresponds. Itfollows that this method of solving a second degree equation consumes onaverage n/2 additions in the body F₂ _(n) .

Application of the principles explained above to scalar multiplicationis described below.

Let PεE(F₂ _(n) ) be a point of odd order r, c a random integer and mthe integer part of log₂ (r). We calculate the product [c]P of a pointby a scalar using the application for halving a point.

We show that:

For any integer c, there is a rational number of the form:

$\sum\limits_{i = 0}^{m}\;{\frac{c_{i}}{2^{i}}\mspace{14mu} c_{i}\varepsilon\left\{ {0,1} \right\}}$such that:

$c \equiv {\sum\limits_{i = 0}^{m}\mspace{11mu}{\frac{c_{i}}{2^{i}}\mspace{14mu}\left( {m\; o\; d\mspace{20mu} r} \right)}}$Let <P> be the cyclic group generated by P. Because of the ringisomorphism:

$\begin{matrix}P & \approx & {z\text{/}r\; z} \\{\lbrack k\rbrack P} & \rightarrow & k\end{matrix}$The scalar multiplication can be calculated as follows:

${\lbrack c\rbrack P} = {\sum\limits_{i = 0}^{m}\;{\left\lbrack \frac{c_{i}}{2} \right\rbrack P}}$using halving and addition. We can use the double-and-add algorithm wellknown in the art for these calculations. For that it is sufficient toreplace doubling by halving in the algorithm. It is necessary to executelog₂ (r) halvings and, on average, ½ log₂ (r) additions. There areimproved versions of the double-and-add algorithm which require only ⅓log₂ (r) additions on average.

Consequently, a scalar multiplication using a halving as defined aboveis obtained by means of the following operations:

if said scalar of the multiplication is denoted S, choose m+1 values

So . . . Smε{0,1} to define S as follows:

$S = {\sum\limits_{i = 0}^{m}{S_{i}\left( \frac{r + 1}{2} \right)}^{i}}$

r being the aforementioned odd order and m being the single integerbetween log₂(r)−1 and log₂(r),

calculate the scalar multiplication [S]P of a point P of said ellipticcurve by the scalar S by applying an algorithm consisting of determiningthe series of points (Q_(m+1), Q_(m) . . . , Q_(i) . . . , Q_(o)) ofsaid elliptic curve E such that:Q_(m+1)=O (neutral element)

$Q_{i} = {{\left\lbrack S_{i} \right\rbrack P} + {\left\lbrack \frac{1}{2} \right\rbrack Q_{i + 1}}}$with o≦i≦m

calculate the last point Q_(o) of said series giving the result result

${Q = {\left\lbrack \frac{1}{2} \right\rbrack Q_{i\;}}},$we use the following algorithm, which is a slightly modified version ofthe standard algorithm:

-   -   Input: P=(x,y) in affine coordinates and Q=(u, u(u+λ_(Q))        represented by (u, λ_(Q))    -   Output: P+Q=(s, t) in affine coordinates algorithm: [S] P of        said scalar multiplication.        To add the initial point P to an intermediate

$\begin{matrix}1. & {{Calculate}:} & \lambda & = & \frac{y + {u\left( {u + \lambda_{Q}} \right)}}{x + u} \\2. & {{Calculate}:} & s & = & {\lambda^{2} + \lambda + a + x + u} \\3. & {{Calculate}:} & t & = & {{\left( {s + x} \right)\lambda} + s + y} \\4. & {{Result}:} & \left( {s,t} \right) & \; & \;\end{matrix}$

This algorithm uses one inversion, three multiplications and one squareroot.

Much time is saved by replacing doubling by halving. In affinecoordinates, doubling and addition both require: one inversion, twomultiplications and a square root. If the scalar of the multiplicationby a scalar is represented by a bit vector of length m and of k non-zerocomponents, scalar multiplication requires:

TABLE 1 operation double and add halve and add inversions m + k kmultiplications 2m + 2k m + 3k squarings m + k k solutions of 0 m λ² + λ= a + x square roots 0 m checks 0 m

Thus using halving saves m inversions, m−k multiplications and msquarings at the cost of adding m second degree solutions, m squareroots and m checks.

In a polynomial basis, an execution time improvement of around 50% canbe obtained.

In a normal basis, we estimate the time to calculate the square root,perform the check and solve the second degree equation negligiblecompared to the time to calculate a multiplication or an inversion.Assuming further that the time to calculate an inversion is equivalentto the time to calculate three multiplications, we arrive at anexecution time improvement of 55%.

FIG. 2 is a diagram showing one possible application of the algorithmsdescribed above between two entities A and B exchanging information overa non-secure communication channel. Said communication channel canconsist of simple electrical connections established between the twoentities for the time of a transaction. It can also include a radioand/or optical telecommunication network. In this instance the entity Ais a microcircuit card and the entity B is a server. Once connected toeach other via said communication channel, the two entities apply acommon key construction protocol. For this purpose:

entity A has a secret key a

entity B has a secret key b

They must generate a secret key x known only to them from a public keyconsisting of a point P of odd order r of a chosen non-supersingularelliptic curve E.

The protocol employed is a Diffie-Hellman protocol, substituting for theusual “multiplication-by-two” referred to as the doubling operation inaccordance with the invention described above and referred to as“halving”.

The algorithm for this is as follows:

the first entity (for example A) calculates the scalar multiplication[a]P and sends the result point to the second entity,

the second entity (B) calculates the scalar multiplication [b]P andsends the result point to the first entity,

the two entities respectively calculate a common point (C)=(x,y) of saidelliptic curve (E) by respectively effecting the scalar multiplications[a]([b]P) and [b]([a]P), both equal to [a.b]P, and

the two entities choose as their common key the coordinate x of saidcommon point (C) obtained by said scalar multiplication [a.b]P, at leastone of the preceding scalar multiplications, and preferably all of them,being effected by means of predefined halvings.

To give a more precise example of this, FIG. 7 shows a server Bconnected to a communication network 1 via a communication interface 2,for example a modem interface. Similarly, a calculation station 3 isconnected to the network 1 via a communication interface 4. The station3 is equipped with a microcircuit card reader 5 into which themicrocircuit card A is inserted.

The random access memory 6 of the server B contains a program 7 capableof executing cryptographic calculations on elliptic curves and inparticular the product of a point by a scalar and the halving of apoint.

The card A contain a central processor unit 11, a random access memory(RAM) 8, a read-only memory (ROM) 9 and an electrically erasableprogrammable read-only memory (EEPROM) 10. One of the memories 9 or 10contains a program 12 capable of executing cryptographic calculations onelliptic curves and in particular the product of a point by a scalar andthe halving of a point.

The two programs 7 and 12 have a common reference consisting of the sameelliptic curve (E) and the same point P=(x₀, y₀) of (E).

When A wishes to construct in parallel with B a common secret key forsecuring dialog with B, it chooses a scalar a and sends to B the productQ=[a]P=(x₁, y₁) In response to this, B chooses a scalar b and sends backto A the product R=[b]P=(x₂, y₂).

A then calculates the product [a] R=[ab]p=(x, y) and B calculates theproduct [b] Q=[ab]P=(x, y) and A and B adopt x as a common secret key.

These operations are represented in the table below. Those which areeffected in the server B are indicated in the right-hand column andthose which are effected in the card A are indicated in the left-handcolumn. The horizontal arrows symbolize transfers of information via thenetwork 1.

TABLE 2

Another application of the invention applies between the two entities Aand B in FIG. 7. It consists of a protocol for signing a message Mtransmitted between A and B via the non-secure channel, i.e. the network1. The object of this protocol, the broad outlines of which are known inthe art, is to make it certain that the message received by one entitywas sent by the other entity.

To this end, the sending entity (for example A) has two permanent keys,namely a secret key a and a public key Q=[a] P, P being a point on anelliptic curve (E), and P and (E) being known to and agreed on by A andB. Another public key is the point P of odd order r of the chosennon-supersingular elliptic curve E. The operations effected entailhalvings in the sense defined above.

In one example:

the first entity (A) holding said pair of permanent keys constructs asingle-use pair of keys, one key (g) chosen arbitrarily and the otherkey [g] P resulting from scalar multiplication of said arbitrarilychosen key (g) by the public point P of said elliptic curve, thecoordinates of the key ([g]P) being denoted (x,y) with 2≦g≦r−2,

the first entity (A) converts the polynomial x of said single-use key[g]P=(x,y) into an integer i whose binary value is represented by thesequence of binary coefficients of said polynomial x,

said first entity (A) calculates a signature (c,d) of the message (M) asfollows:

c=i modulo r

d=g⁻¹ (M+ac) modulo r,

said first entity sends said message (M) and said signature (c, d) tosaid second entity; on receiving it:

said second entity (B) checks if the elements of said signature (c,d)each belong to the range [1, r−1],

if not, it declares the signature invalid and stops

if so, said second entity (B) calculates three parameters:

h=d⁻¹ modulo r

h₁=Mh modulo r

h₂=ch modulo r

said second entity calculates a point T of said elliptic curve bysumming the scalar multiplications of the points P and Q by the last twoparameters cited:T=[h ₁ ]P+[h ₂ ]Q

if the resultant point T is the neutral element, said second entitydeclares the signature invalid and stops.

if it is not the neutral element, considering the point T withcoordinates x′ and y′: T=(x′,y′):

said second entity (B) converts the polynomial x′ of that point into aninteger i′ whose binary value is represented by the sequence of binarycoefficients of said polynomial x′,

-   -   said second entity (B) calculates c′=i′ modulo r, and:

checks that c′=c: if so it validates said signature and if not itinvalidates it, at least one of the scalar multiplication operations andpreferably all of them being effected by means of the predefinedhalvings.

These operations can be represented by the table below in which theoperations effected in the server B are indicated in the right-handcolumn and the operations effected in the card A are indicated in theleft-hand column, the arrow between the two columns symbolizing thetransfer of information via the network 1.

TABLE 3

1. A cryptographic method employed between two entities exchanginginformation via a non-secure communication channel, each of the twoentities comprising a memory readable by a machine, tangibly embodying aprogram of instruction executable by the machine to perform the method,the method including a step of multiplying an odd order point of anon-supersingular elliptic curve by an integer, wherein, for exchanginginformation via the non-secure communication channel, the step ofmultiplying is performed by addition and halving operations of points ofsaid elliptic curve, the halving of a point P is defined as the uniqueodd order point D such that [2]D=P,$\left\lbrack \frac{1}{2} \right\rbrack\underset{\_}{P}$ denotes thepoint D.
 2. A method according to claim 1, where F₂ _(n) is a finitebody of 2² elements, E(F₂ _(n) ) is the sub-group of an elliptic curve Edefined by:E(F ₂ ^(n))={(x,y)εF ₂ ^(n) ×F ₂ ^(n) |y ² +xy=x ³ +αx ² +β}∪{O}α, βεF ₂^(n), β≠0 and E[2^(k)] is the set of points P of said elliptic curvesuch that P added 2^(k) times to itself gives the neutral element O,where k is an integer greater than or equal to 1, wherein a pointP=(x,y) of said elliptic curve gives by said halving the point${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},v_{o}} \right)$of said elliptic curve obtained by effecting the following operations:(a) seek a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x; (b) calculatea second value u_(o) ² such that u_(o) ²=x (λ_(o)+1)+y; (c) if k has thevalue 1, check if the equation: λ²+λ=α²+u² _(o) has solutions in F₂^(n); (d) if the check in step (c) is yes, calculate said halving asfollows:u _(o) =√{square root over (u ⁰ ² )},v _(o) =u _(o)(u _(o) +λ _(o)) and${{\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},v_{o}} \right)};$(e) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (d); (f) if k is greaterthan 1, perform an iterative calculation as follows: (i) seek a valueλ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1); and (ii) then calculate thevalue u² _(i) such that u² _(i)=u_(i−1)(λ_(i)+λ_(i−1)+u_(i−1)+1) byincrementing i from i=1 until the value u² _(k−1) is obtained; (g) checkwhether the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ ^(n); (h) ifso, calculate said halving as follows:u _(o) =√{square root over (u ⁰ ² )},v _(o) =u _(o)(u _(o) +λ _(o)) and${{\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},v_{o}} \right)};\mspace{14mu}{a\; n\; d}$(i) if not, add x to the second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (h).
 3. A method accordingto claim 1, where F₂ ^(n) is a finite body of 2^(n) elements, E(F₂ ^(n))is the sub-group of an elliptic curve E defined by:E(F ₂ ^(n))={(x,y)εF ₂ ^(n) ×F ₂ ^(n) |y ² +xy=x ³ +αx ² +β}∪{O}α, βεF ₂^(n),β≠0 and E[2^(k)] is the set of points P of said elliptic curve suchthat P added 2^(k) times to itself gives the neutral element O, where kis an integer greater than or equal to 1, wherein a point P=(x,y) ofsaid elliptic curve gives by said halving the point${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},\lambda_{o}} \right)$of said elliptic curve, with λ_(o)=u_(o)+v_(o)/u_(o), obtained byeffecting the following operations: (a) seek a first value λ_(o) suchthat λ_(o) ²+λ_(o)=α+x; (b) calculate a second value u_(o) ² such that:u_(o) ²=x (λ_(o)+1)+y; (c) if k has the value 1, check if the equation:λ²+λ=α²+u_(o) ² has solutions in F₂ ^(n); (d) if so, calculate saidhalving as follows:u _(o) =√{square root over (u ⁰ ² )}, and${{\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},\lambda_{o}} \right)};$(e) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (d); (f) if k is greaterthan 1, perform the following iterative calculation: (i) seek a valueλ_(i), such that λ_(i) ²+λ_(i)=α+u_(i−1); and (ii) then calculate thevalue u_(i) ² such that u_(i) ²=u_(i−1)(λ_(i)+λ_(i−1)+u_(i−1)+1) byincrementing i from i=1 until the value u² _(k−1) is obtained; (g) checkif the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ _(n) ; (h) if so,calculate said halving as follows:u _(o) =√{square root over (u ⁰ ² )}, and${{\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},\lambda_{o}} \right)};\mspace{14mu}{a\; n\; d}$(i) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) to calculate said halving as in step (h).
 4. A method according toclaim 1, where F₂ ^(n) is a finite body of 2^(n) elements, E(F₂ ^(n)) isthe sub-group of an elliptic curve E defined by:E(F ₂ ^(n))={(x,y)εF ₂ ^(n) ×F ₂ ^(n) |y ² +xy=x ³ +αx ² +β}∪{O}α, βεF ₂^(n),β≠0 and E[2^(k)] is the set of points P of said elliptic curve suchthat P added 2^(k) times to itself gives the neutral element O, where kis an integer greater than or equal to 1, wherein a point P=(x,y) ofsaid elliptic curve represented by (x,λ_(p)) with λ_(p)=x+y/x gives bysaid halving the point${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},v_{o}} \right)$of said elliptic curve obtained by effecting the following operations:(a) seek a first value λ₀ such that λ_(o) ²+λ_(o)=α+x; (b) calculate asecond value u_(o) ² such that u_(o) ²=x (λ_(o)λ+λ_(p)+x+1); (c) if khas the value 1, check if the equation: λ²+λ=α²+u_(o) ² has solutions inF₂ ^(n); (d) if so, calculate said halving as follows:u _(o) =√{square root over ( ⁰ ² )},v _(o) =u _(o)(u _(o) +λ _(o)),${{a\; n\;{d\mspace{14mu}\left\lbrack \frac{1}{2} \right\rbrack}P} = \left( {u_{o},v_{o}} \right)};$(e) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (d); (f) if k is greaterthan 1, perform the following iterative calculation: (i) seek a valueλ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1); and (ii) then calculate thevalue u_(i) ² such that u_(i) ²=u_(i−1) (λ_(i)+λ_(i−1)+u_(i−1)+1)incrementing i from i=1 until the value u² _(k−1) is obtained; (g) checkif the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ ^(n); (h) if so,calculate said halving as follows:u _(o) =√{square root over ( ⁰ ² )},v _(o) =u _(o)(u _(o) +λ _(o)),${{a\; n\;{d\mspace{14mu}\left\lbrack \frac{1}{2} \right\rbrack}P} = \left( {u_{o},v_{o}} \right)};\mspace{14mu}{a\; n\; d}$(i) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (h).
 5. A method accordingto claim 1, where F₂ ^(n) is a finite body of 2^(n) elements, E(F₂ ^(n))is the sub-group of an elliptic curve E defined by:E(F ₂ ^(n))={(x,y)εF ₂ ^(n) ×F ₂ ^(n) |y ² +xy=x ³ +αx ² +β}∪{O}α, βεF ₂^(n)β≠0 and E[2^(k)] is the set of points P of said elliptic curve suchthat P added 2^(k) times to itself gives the neutral element O, where kis an integer greater than or equal to 1, wherein a point P=(x,y) ofsaid elliptic curve represented by (x,λ_(p)) with λp=x+y/x gives by saidhalving the point${\left\lbrack \frac{1}{2} \right\rbrack P} = \left( {u_{o},v_{o}} \right)$of said elliptic curve represented by (u_(o), λ_(o)), withλ_(o)=u_(o)+v_(o)/u_(o) obtained by effecting the following operations:(a) seek for a first value λ_(o) such that λ_(o) ²+λ_(o)=α+x; (b)calculate a second value u_(o) ² such that u_(o) ²=x (λ_(o)+λ_(p)+x+1);(c) if k has the value 1, check if the equation λ²+λ=α²+u_(o) ² hassolutions in F₂ ^(n); (d) if so, calculate said halving as follows:u _(o) =√{square root over (u ⁰ ² )},${{a\; n\;{d\mspace{14mu}\left\lbrack \frac{1}{2} \right\rbrack}P} = \left( {u_{o},\lambda_{o}} \right)};$(e) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (d); (f) if k is greaterthan 1, perform the following iterative calculation: (i) seek a valueλ_(i) such that λ_(i) ²+λ_(i)=α+u_(i−1); and (ii) then calculate thevalue u_(i) ² such that u_(i) ²=u_(i−1)(λ_(i)+λ_(i−1)+u_(i−1)+1)incrementing i from i=1 until the value u² _(k−1) is obtained; (g) checkif the equation λ²+λ=α²+u² _(k−1) has solutions in F₂ ^(n); (h) if so,calculate said halving as follows:u _(o) =√{square root over (u ⁰ ² )},${{a\; n\;{d\mspace{14mu}\left\lbrack \frac{1}{2} \right\rbrack}P} = \left( {u_{o},\lambda_{o}} \right)};\mspace{14mu}{a\; n\; d}$(i) if not, add x to said second value u_(o) ² and 1 to said first valueλ_(o) and calculate said halving as in step (h).
 6. A method accordingto claim 1, further comprising constructing a common key from two secretkeys respectively belonging to the aforementioned two entities and apublic key consisting of the point P of odd order r of a chosennon-supersingular elliptic curve E.
 7. A method according to claim 6,wherein a and b are the secret keys of first and second entities,respectively, and: (a) the first entity calculates the scalarmultiplication [a]P and sends the result point to the second entity, (b)the second entity calculates the scalar multiplication [b]P and sendsthe result point to the first entity, (c) the two entities respectivelycalculate a common point (C)=(x,y) of said elliptic curve (E) byrespectively effecting the scalar multiplications [a] ([b]P) and [b]([a]P), both equal to [a.b]P, and (d) the two entities choose as theircommon key the coordinate (x) of said common point (C) obtained by saidscalar multiplication [a.b]P, at least one of the preceding scalarmultiplications, and preferably all of them, being effected by means ofpredefined halvings.
 8. A method according to claim 7, wherein scalarmultiplication using halvings is obtained by the following operations:(e) if said scalar of the multiplication is denoted S, choose m+1 valuesSo . . . Smε{0,1} to define S as follows:${S = {\sum\limits_{i = 0}^{m}\;{S_{i}\left( \frac{r + 1}{2} \right)}^{i}}},$r being the aforementioned odd order and m being the single integerbetween log₂(r)−1 and log₂(r), (f) calculate the scalar multiplication[S]P of a point P of said elliptic curve by the scalar S by applying analgorithm consisting of determining the series of points (Q_(m+1), Q_(m). . . , Q_(i) . . . , Q_(o)) of said elliptic curve E such that:Q_(m+1)=O (neutral element), and${Q_{i} = {{{\left\lbrack S_{i} \right\rbrack P} + {\left\lbrack \frac{1}{2} \right\rbrack Q_{i}}\mspace{11mu} + {1\mspace{20mu} w\; i\; t\; h\mspace{14mu} o}} \leq i \leq m}},\mspace{14mu}{a\; n\; d}$(g) calculate the last point Q_(o) of said series giving the result [S]Pof said scalar multiplication.
 9. A method according to claim 1, furthercomprising calculating a signature between two entities based on a pairof permanent keys belonging to one of the entities, one secret (a) andthe other public (Q), by scalar multiplication of the secret key (a) byanother public key consisting of the point (P) of odd order r of achosen non-supersingular elliptic curve (E).
 10. A method according toclaim 9, further comprising the following operations: (a) the firstentity (A) holding said pair of permanent keys constructs a single-usepair of keys, one key (g) being chosen arbitrarily and the other key[g]P resulting from scalar multiplication of said arbitrarily chosen key(g) by the public point P of said elliptic curve, the coordinates of thekey ([g]P) being denoted (x,y) with 2≦g≦r−2, (b) the first entity (A)converts the polynomial x of said single-use key [g]P=(x,y) into aninteger i whose binary value is represented by the sequence of binarycoefficients of said polynomial x, (c) said first entity (A) calculatesa signature (c,d) of the message (M) as follows: c=i modulo r d=g⁻¹(M+ac) modulo r, (d) said first entity sends said message (M) and saidsignature (c, d) to said second entity; upon receiving it: (i) saidsecond entity (B) checks if the elements of said signature (c,d) eachbelong to the range [1, r−1], (ii) if the check in step (i) is no, thesecond entity declares the signature invalid and stops; (iii) if thecheck in step (i) is yes, said second entity (B) calculates threeparameters: h=d⁻¹ modulo r, h₁=Mh modulo r, and h₂=ch modulo r, (e) saidsecond entity calculates a point T of said elliptic curve by summing thescalar multiplications of the points P and Q by the last two parameterscited:T=[h ₁ ]P+[h ₂ ]Q, and (i) if the resultant point T is the neutralelement, said second entity declares the signature invalid and stops;(ii) if the resultant point T is not the neutral element, consideringthe point T with coordinates x′ and y′: T=(x′,y′), (A) said secondentity (B) converts the polynomial x′ of that point into an integer i′whose binary value is represented by the sequence of binary coefficientsor said polynomial x′, (B) said second entity (B) calculates c′=i′modulo r and, (C) said second entity (B) checks if c′=c, in which casesaid second entity (B) validates said signature, or if not, said secondentity (B) invalidates said signature, at least one aforementionedscalar multiplication operation being effected by means of thepredefined halvings.
 11. A method according to claim 1, wherein saidinteger is decomposed as a set of values using powers of half saidorder, and said addition and halving operations are implementeddependent on said set of values.